Category: Announcements
An Instructive Tale About Using IAM Best Practices
An interesting blog post came to our attention recently—My $500 Cloud Security Screw-up by Rich Mogull. He describes how he learned to adhere to several important AWS security principles through several unfortunate events. Mike Pope, senior technical writer for AWS Identity, paraphrases the post here.
Rich had inadvertently leaked his AWS access keys, allowing some unauthorized users to launch EC2 instances within his account for their own nefarious purposes. Fortunately, AWS Support alerted him and he was able to disable the keys very quickly. It’s fascinating to read how an innocent error caused the problem, how he mitigated the problem, and about the forensics he used to determine what happened.
This story gives us an opportunity to reiterate some of our AWS best practices:
A Retrospective of 2013
We established the Security Blog in April 2013 to provide you with guidance, best practices, and technical walk-throughs to help increase the security of your AWS account and better achieve compliance. Hopefully you have been able to read all of the posts published in 2013, but in case you’ve missed a few, here is an index of our in-depth posts:
IAM
We posted a mixture of prescriptive guidance and detailed explanations about released Identity and Access Management features and best practices geared towards practitioners.
- Where’s my secret access key?
- A safer way to distribute AWS credentials to EC2
- IAM policies and Bucket Policies and ACLs! Oh My! (Controlling Access to S3 Resources)
- Guidelines for when to use Accounts, Users, and Groups
- How to rotate access keys for IAM users
- Improve the security of your AWS account in less than 5 minutes
- Securing access to AWS using MFA – Part I
- Securing access to AWS using MFA – Part 2
- Securing access to AWS using MFA – Part 3
Make a New Year Resolution
Make a New Year Resolution for 2014 to adhere to best practices put forth by AWS Security and Identity. There are two great pieces of work published in 2013 that are filled with guidance and are highly actionable. AWS published the Security Best Practices whitepaper, providing a landscape of various security oriented technologies, including IAM, encryption, and compliance reporting. The Security Blog post that outlined the whitepaper was the second most popular post of the year (behind Writing IAM Policies: How to grant access to an Amazon S3 bucket), illustrating the importance and interest of cloud security topics.
The other piece of work to reference is IAM’s Top Ten Best Practices session at re:Invent. I encourage you to view the recorded session, but here’s a quick rundown to get you started:
- Lock away your AWS account access keys
- Create individual IAM users
- Use groups to assign permissions to IAM users
- Grant least privilege
- Configure a strong password policy for your users
- Enable MFA for privileged users
- Use roles for applications that run on Amazon EC2 instances
- Delegate by using roles instead of by sharing credentials
- Rotate credentials regularly
- Use policy conditions for extra security
Use these security best practices to help make your AWS account as secure as possible. Not only will you find more peace of mind but hopefully even greater control as you expand your use of AWS.
– Jim
AWS SDK Blog Posts About IAM Roles
The .NET Developers Blog recently published two easy-to-read posts about access key management for .NET applications. The first one goes through some of the background of access key management, as well as the use of IAM roles for EC2. The second post goes deeper into creating and using IAM users and groups instead of using root access. The next post will discuss rotating credentials. In the meantime, if you would like a detailed description of rotating access keys, the Security Blog published a post in early October.
– Ben
Credentials Best Practices on the AWS Java Developers Blog
David Murray published a great post about best practices for IAM credentials earlier today (December 9th). He gives a high level description of IAM, followed by methods for using IAM roles for EC2. To learn more go to the Java Developers Blog.
– Ben
Announcing Resource-Level Permissions for AWS OpsWorks
We are pleased to announce that AWS OpsWorks now supports resource-level permissions. AWS OpsWorks is an application management service that lets you provision resources, deploy and update software, automate common operational tasks, and monitor the state of your environment. You can optionally use the popular Chef automation platform to extend OpsWorks using your own custom recipes.
With resource-level permissions you can now:
- Grant users access to specific stacks, making management of multi-user environments easier. For example, you can give a user access to the staging and production stacks but not the secret stack.
- Set user-specific permissions for actions on each stack, allowing you to decide who can deploy new application versions or create new resources on a per-stack basis for example.
- Delegate management of each OpsWorks stack to a specific user or set of users.
- Control user-level SSH access to Amazon EC2 instances, allowing you to instantly grant or remove access to instances for individual users.
Recap of re:Invent 2013 Sessions
Amazon Web Services (AWS) held its second annual users conference, re:Invent 2013, in Las Vegas on November 13th-15th. Security was again one of the top tracks of the program, with 22 sessions covering every area in cloud security. Re:Invent 2013 was a great success.
Here are links to the videos and presentations all the security related sessions (those without links will be updated throughout the next couple of weeks): (more…)
Amazon EC2 Resource-Level Permissions for RunInstances
Yesterday the EC2 team announced fine grained controls for managing RunInstances. This release enables you to set fine-grained controls over the AMIs, Snapshots, Subnets, and other resources that can be used when creating instances and the types of instances and volumes that users can create when using the RunInstances API.
This is a major milestone in the security story around EC2. Prior to this it was not practical to use a single account for a variety of users within a single org. This one feature makes that not only much more feasible, but allows for long-requested things like “only allow my users to launch blessed AMIs” and other such super-useful stuff.
To learn more, see Derek Lyon’s post on the AWS Blog.
– Ben
New Whitepaper: AWS Cloud Security Best Practices
- How security responsibilities are shared between AWS and you, the customer
- How to define and categorize your assets
- How to manage user access to your data using privileged accounts and groups
- Best practices for securing your data, operating systems, and network
- How monitoring and alerting can help you achieve your security objectives
Introducing the AWS Compliance Forum
We’re happy to announce the launch of the AWS Compliance Forum – a unique community designed for AWS customers interested in achieving compliance while using AWS services.
The AWS Compliance Forum was developed based on discussions with customers who wanted a community to connect with fellow AWS customers, interact with AWS compliance specialists, and access specialized industry enablers and education. This forum can support you in your efforts to achieve and maintain security assurance and compliance with your industry and regulatory standards while using AWS.
There is no additional charge for being a member of the AWS Compliance Forum – the only requirement is to take a brief entrance survey so that forum content and discussions can be catered to your industry, geography, and interests.
Take the survey and join the forum now >> AWS Compliance Forum Entrance Survey
– Chad
